Skip to content

Commit cebf916

Browse files
committed
XWIKI-20259: Improve escaping in Notification Preferences Macros
1 parent 841c557 commit cebf916

File tree

6 files changed

+13
-11
lines changed

6 files changed

+13
-11
lines changed

Diff for: xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsApplicationsPreferencesMacro.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -982,7 +982,7 @@ require(['jquery', 'xwiki-meta', 'ApplicationWidget', 'xwiki-bootstrap-switch',
982982
#set ($targetUser = $xcontext.userReference)
983983
#set ($targetUserReference = $services.user.currentUserReference)
984984
#end
985-
#set ($divData = "data-user=""$services.model.serialize($targetUser)""")
985+
#set ($divData = "data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
986986
#end
987987
#set ($userDoc = $xwiki.getDocument($targetUser))
988988
######################################################

Diff for: xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsAutoWatchPreferencesMacro.xml

+2-2
Original file line numberDiff line numberDiff line change
@@ -391,7 +391,7 @@
391391
{{/error}}
392392
#elseif ($wikimacro.parameters.target == 'user' && "$!wikimacro.parameters.user" != "" && !$services.security.authorization.hasAccess('admin', $wikimacro.parameters.user.reference) && !$xcontext.userReference.equals($wikimacro.parameters.user.reference))
393393
{{error}}
394-
{{translation key="notifications.settings.error.userReferenceAdminForbidden" parameters="$wikimacro.parameters.user" /}}
394+
{{translation key="notifications.settings.error.userReferenceAdminForbidden" parameters="~"${services.rendering.escape($escapetool.java($wikimacro.parameters.user), 'xwiki/2.1')}~"" /}}
395395
{{/error}}
396396
#else
397397
#set ($discard = $xwiki.jsx.use('XWiki.Notifications.Code.NotificationsAutoWatchPreferencesMacro'))
@@ -403,7 +403,7 @@
403403
#set ($dataUser = "")
404404
#if ($wikimacro.parameters.target == 'user')
405405
#set ($mode = $services.notification.watch.getAutomaticWatchMode($targetUser))
406-
#set ($dataUser = "data-user=""$services.model.serialize($targetUser)""")
406+
#set ($dataUser = "data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
407407
#else
408408
#set ($mode = $services.notification.watch.defaultAutomaticWatchMode)
409409
#end

Diff for: xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsCustomFiltersPreferencesMacro.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1083,7 +1083,7 @@ require(['jquery', 'AddCustomNotificationFilterPreferenceLivetable', 'xwiki-boot
10831083
#else
10841084
#set ($targetUser = $xcontext.userReference)
10851085
#end
1086-
#set ($divData = "data-doc-url=""$escapetool.xml($services.rest.url($targetUser))"" data-user=""$services.model.serialize($targetUser)""")
1086+
#set ($divData = "data-doc-url=""$escapetool.xml($services.rest.url($targetUser))"" data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
10871087
#end
10881088
######################################################
10891089
### CSS and JAVASCRIPTS

Diff for: xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsEmailPreferencesMacro.xml

+2-2
Original file line numberDiff line numberDiff line change
@@ -423,7 +423,7 @@
423423
{{/error}}
424424
#elseif ($wikimacro.parameters.target == 'user' && "$!wikimacro.parameters.user" != "" && !$services.security.authorization.hasAccess('admin', $wikimacro.parameters.user.reference) && !$xcontext.userReference.equals($wikimacro.parameters.user.reference))
425425
{{error}}
426-
{{translation key="notifications.settings.error.userReferenceAdminForbidden" parameters="$wikimacro.parameters.user" /}}
426+
{{translation key="notifications.settings.error.userReferenceAdminForbidden" parameters="$~"${services.rendering.escape($escapetool.java($wikimacro.parameters.user), 'xwiki/2.1')}~"" /}}
427427
{{/error}}
428428
#else
429429

@@ -434,7 +434,7 @@
434434
#end
435435
#set ($dataUser = "")
436436
#if ($wikimacro.parameters.target == 'user')
437-
#set ($dataUser = "data-user=""$services.model.serialize($targetUser)""")
437+
#set ($dataUser = "data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
438438
#end
439439
#set ($discard = $xwiki.jsx.use('XWiki.Notifications.Code.NotificationsEmailPreferencesMacro'))
440440
{{html clean="false"}}

Diff for: xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsFiltersPreferencesMacro.xml

+6-4
Original file line numberDiff line numberDiff line change
@@ -1050,11 +1050,11 @@ require(['jquery', 'AddNotificationFilterPreferenceLivetable', 'xwiki-bootstrap-
10501050
## This should be improved later with such API.
10511051
#elseif ("$!wikimacro.parameters.user" != "" && $wikimacro.parameters.user.class.simpleName != 'DocumentUserReference')
10521052
{{error}}
1053-
This macro only allows to handle DocumentUserReference references and you specified a $wikimacro.parameters.user.class.simpleName reference.
1053+
This macro only allows to handle DocumentUserReference references and you specified a $services.rendering.escape($wikimacro.parameters.user.class.simpleName, 'xwiki/2.1') reference.
10541054
{{/error}}
10551055
#elseif ("$!wikimacro.parameters.user" != "" && !$services.security.authorization.hasAccess('admin', $wikimacro.parameters.user.reference) && !$xcontext.userReference.equals($wikimacro.parameters.user.reference))
10561056
{{error}}
1057-
You don't have administration right on $wikimacro.parameters.user.
1057+
You don't have administration right on $services.rendering.escape($wikimacro.parameters.user, 'xwiki/2.1').
10581058
{{/error}}
10591059
#else
10601060
#set ($discard = $services.logging.deprecate("NotificationsFiltersPreferencesMacro", "This macro should not be used anymore in favor of SystemNotificationsFiltersPreferencesMacro and CustomNotificationsFiltersPreferencesMacro."))
@@ -1075,7 +1075,8 @@ require(['jquery', 'AddNotificationFilterPreferenceLivetable', 'xwiki-bootstrap-
10751075
### MACRO CONTENT
10761076
######################################################
10771077
{{html clean="false"}}
1078-
<div class="filterPreferences xform" data-user-url="$escapetool.xml($services.rest.url($targetUser))" data-user="$services.model.serialize($targetUser)">
1078+
<div class="filterPreferences xform" data-user-url="$escapetool.xml($services.rest.url($targetUser))"
1079+
data-user="$escapetool.xml($services.model.serialize($targetUser))">
10791080
<div class="row">
10801081
<p class="xHint col-xs-12 col-sm-9 col-md-8 col-lg-9">
10811082
$escapetool.xml($services.localization.render('notifications.settings.filters.preferences.hint'))
@@ -1109,7 +1110,8 @@ require(['jquery', 'AddNotificationFilterPreferenceLivetable', 'xwiki-bootstrap-
11091110
######################################################
11101111
### ADD FILTER MODAL
11111112
######################################################
1112-
<div class="modal fade" tabindex="-1" role="dialog" id="modal-add-filter-preference" data-user="$services.model.serialize($targetUser)">
1113+
<div class="modal fade" tabindex="-1" role="dialog" id="modal-add-filter-preference"
1114+
data-user="$escapetool.xml($services.model.serialize($targetUser))">
11131115
<div class="modal-dialog" role="document">
11141116
<div class="modal-content">
11151117
<div class="modal-header">

Diff for: xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsSystemFiltersPreferencesMacro.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -845,7 +845,7 @@ require(['jquery', 'xwiki-bootstrap-switch', 'xwiki-events-bridge'], function ($
845845
#else
846846
#set ($targetUser = $xcontext.userReference)
847847
#end
848-
#set ($divData = "data-doc-url=""$escapetool.xml($services.rest.url($targetUser))"" data-user=""$services.model.serialize($targetUser)""")
848+
#set ($divData = "data-doc-url=""$escapetool.xml($services.rest.url($targetUser))"" data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
849849
#end
850850
######################################################
851851
### CSS and JAVASCRIPTS

0 commit comments

Comments
 (0)